Model Checking CTL Is Almost Always Inherently Sequential

This is a repository copy of Model Checking CTL is Almost Always Inherently Sequential.

White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/74808/

Proceedings Paper: Beyersdorff, O, Meier, A, Thomas, M et al. (3 more authors) (2009) Model Checking CTL is Almost Always Inherently Sequential. In: Lutz, C and Raskin, J-F, (eds.) 16th International Symposium on Temporal Representation and Reasoning 2009. International Symposium on Temporal Representation and Reasoning, 23 - 25 July 2009, Bressanone, Brixen, Italy. IEEE , 21 - 28 . ISBN 978-0-7695-3727-6 https://doi.org/10.1109/TIME.2009.12

Reuse See Attached

Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request.

[email protected] https://eprints.whiterose.ac.uk/ Model Checking CTL is Almost Always Inherently Sequential∗

Olaf Beyersdorff Arne Meier Michael Thomas Heribert Vollmer Theoretical Computer Science, University of Hannover, Germany {beyersdorff, meier, thomas, vollmer}@thi.uni-hannover.de Martin Mundhenk Computer Science, University of Jena, Germany [email protected] Thomas Schneider Computer Science, University of Manchester, UK [email protected]

Abstract of another event (R), as well as path quantifiers (E, A) for speaking about computation paths. The full language ob- The model checking problem for CTL is known to be tained by these operators and quantifiers is called CTL⋆ [5]. P-complete (Clarke, Emerson, and Sistla (1986), see Schnoe- In CTL, the interaction between the temporal operators and belen (2002)). We consider fragments of CTL obtained path quantifiers is restricted. The temporal operators in CTL by restricting the use of temporal modalities or the use of are obtained by path quantifiers followed directly by any negations—restrictions already studied for LTL by Sistla and temporal operator, e.g., AF and AU are CTL-operators. Be- Clarke (1985) and Markey (2004). For all these fragments, cause they start with the universal path quantifier, they are except for the trivial case without any temporal operator, we called universal CTL-operators. Accordingly, EX and EG systematically prove model checking to be either inherently are examples for existential CTL-operators. sequential (P-complete) or very efficiently parallelizable Since properties are largely verified automatically, the (LOGCFL-complete). For most fragments, however, model computational complexity of reasoning tasks is of great in- checking for CTL is already P-complete. Hence our results terest. Model checking (MC)—the problem of verifying indicate that in most applications, approaching CTL model whether a given formula holds in a state of a given model— checking by parallelism will not result in the desired speed is one of the most important reasoning tasks [15]. It is in- up. tractable for CTL⋆ (PSPACE-complete [6, 15]), but tractable We also completely determine the complexity of the model for CTL (solvable in, and even hard for, polynomial time checking problem for all fragments of the extensions ECTL, [3, 15]). CTL+, and ECTL+. Although model checking for CTL is tractable, its P- hardness means that it is presumably not efficiently parallelizable. We therefore search for fragments of CTL with 1. Introduction a model checking problem of lower complexity. We will consider all subsets of CTL-operators, and examine the com- Temporal logic was introduced by Pnueli [12] as a formal- plexity of the model checking problems for all resulting ism to specify and verify properties of concurrent programs. fragments of CTL. Further, we consider three additional Computation Tree Logic (CTL), the logic of branching time, restrictions affecting the use of negation and study the exten- goes back to Emerson and Clarke [4] and contains tempo- sions ECTL, CTL+, and their combination ECTL+. ral operators for expressing that an event occurs at some The complexity of model checking for fragments of tem- time in the future (F), always in the future (G), in the next poral logics has been examined in the literature: Markey [9] point of time (X), always in the future until another event considered satisfiability and model checking for fragments of holds (U), or as long as it is not released by the occurrence Linear Temporal Logic (LTL). Under systematic restrictions ∗Supported in part by grants DFG VO 630/6-1 and DAAD-ARC to the temporal operators, the use of negation, and the inter- D/08/08881. action of future and past operators, Markey classified the two

1 decision problems into NP-complete, coNP-complete, and ⊥, the Boolean connectives ¬, ∧, and ∨, and the temporal PSPACE-complete. Further, [1] examined model checking operator symbols A, E, X, F, G, U, and R. for all fragments of LTL obtained by restricting the set of A and E are called a path quantifiers, temporal operators temporal and propositional operators. The resulting classi- aside from A and E are pure temporal operators. The atomic fication separated cases where model checking is tractable propositions and the constants ⊤ and ⊥ are atomic formulae. from those where it is intractable. There are two kinds of formulae, state formulae and path Concerning CTL and its extension ECTL, our results in formulae. Each atomic formula is a state formula, and each this paper show that most restricted versions of the model state formula is a path formula. If ϕ, ψ are state formulae checking problem exhibit the same hardness as the general and χ, π are path formulae, then ¬ϕ, (ϕ ∧ ψ), (ϕ ∨ ψ), problem. More precisely, we show that apart from the trivial Aχ, Eχ are state formulae, and ¬χ, (χ ∧ π), (χ ∨ π), Xχ, case where CTL-operators are completely absent, the com- Fχ, Gχ, [χUπ], and [χRπ] are path formulae. The set of plexity of CTL model checking is a dichotomy: it is either CTL⋆-formulae (or formulae) consists of all state formulae. P-complete or LOGCFL-complete. Unfortunately, the latter A Kripke structure is a triple K = (W, R, η), where W case only occurs for a few rather weak fragments and hence is a finite set of states, R ⊆ W × W a total relation (i. e., for there is not much hope that in practice, model checking can each w ∈ W , there exists a w′ such that (w, w′) ∈ R), and be sped up by using parallelism—it is inherently sequential. η : W → P(Φ) is a labelling function. A path x is an infinite ω Put as a simple rule, model checking for CTL is P- sequence x = (x1, x2,...) ∈ W such that (xi, xi+1) ∈ R, i complete for every fragment that allows to express a uni- for all i ≥ 1. For a path x = (x1, x2,...) we denote by x versal and an existential CTL-operator. Only for fragments the path (xi, xi+1,...). involving the operators EX and EF (or alternatively AX and Let K = (W, R, η) be a Kripke structure, w ∈ W be a ω AG) model checking is LOGCFL-complete. This is visual- state, and x = (x1, x2,... ) ∈ W be a path. Further, let ized in Fig. 2 in Sect. 5. Recall that LOGCFL is defined ϕ, ψ be state formulae and χ, π be path formulae. The truth as the class of problems logspace-reducible to context-free of a CTL⋆-formula w. r. t. K is inductively defined as: languages, and NL ⊆ LOGCFL ⊆ NC2 ⊆ P. Hence, in contrast to inherently sequential P-hard tasks, problems in K, w |= ⊤ always, LOGCFL have very efficient parallel algorithms. K, w |= ⊥ never, For the extensions CTL+ and ECTL+, the situation is K, w |= p iff p ∈ Φ and p ∈ η(w), more complex. In general, model checking CTL+ and K, w |= ¬ϕ iff K, w 6|= ϕ, + p K, w ϕ ψ iff K, w ϕ and K, w ψ, ECTL is ∆ -complete [8]. We show that for T ⊆ |= ( ∧ ) |= |= 2 K, w ϕ ψ iff K, w ϕ or K, w ψ, {A, E, X}, both model checking problems remain tractable, |= ( ∨ ) |= |= A E X p K, w |= Aχ iff K, x |= χ for all paths while for T * { , , }, both problems become ∆2- complete. Yet, for negation restricted fragments with only x = (x1, x2,...) with x1 = w, existential or only universal path quantifiers, we observe a K, x |= ϕ iff K, x1|= ϕ, complexity decrease to NP- resp. coNP-completeness. K, x |= ¬χ iff K, x 6|= χ, K, x |= (χ ∧ π) iff K, x |= χ and K, x |= π, This paper is organized as follows: Section 2 introduces K, x |= (χ ∨ π) iff K, x |= χ or K, x |= π, CTL, its model checking problems, and the non-basics of K, x |= Xχ iff K, x2|= χ complexity theory we use. Section 3 contains our main K, x |= [χUπ] iff there exists k ∈ such that results, separated into upper and lower bounds. We also N K, xi |= χ for 1 ≤ i < k and provide a refined analysis of the reductions between different K, xk |= π. model checking problems with restricted use of negation. The results are then generalized to extensions of CTL in The semantics of the remaining temporal operators is Section 4. Finally, Section 5 concludes with a graphical defined via the equivalences: Eχ ≡ ¬A¬χ, Fχ ≡ [⊤Uχ], overview of the results. For brevity, some proofs are omitted Gχ ≡ ¬F¬χ, and [χRπ] ≡ ¬[¬χU¬π]. A state formula ϕ and will be included in the full version of this paper. is satisfied by a Kripke structure K if there exists w ∈ W such that K, w |= ϕ. We will also denoted this by K |= ϕ. ⋆ 2. Preliminaries A CTL-formula is a CTL -formula in which each path quantifier is followed by exactly one pure temporal operator and each pure temporal operator is preceded by exactly one 2.1. Temporal Logic path quantifier. The set of CTL-formulae forms a strict sub- set of the set of all CTL⋆-formulae. For example, AGEFp is We inductively define CTL⋆-formulae as follows. Let Φ a CTL-formula, but A(GFp ∧ Fq) is not. Pairs of path quan- be a finite set of atomic propositions. The symbols used are tifiers and pure temporal operators are called CTL-operators. the atomic propositions in Φ, the constant symbols ⊤ and The operators AX, AF, AG, AU, and AR are universal CTL-

2 AX, AF, AR 2.3. Complexity Theory

We assume familiarity with standard notions of complexity theory (cf. [11]). Next we will introduce the notions from AF, AR circuit complexity that we use for our results. All reductions AG AU , in this paper are ≤cd-reductions deﬁned as follows: A lan- AX, AU AX, AR guage A is constant-depth reducible to B, A ≤cd B, if there AX, AF, AG is a logtime-uniform AC0-circuit family with oracle gates for B that decides membership in A. That is, there is a circuit

AX, AF AF, AG AX, AG family C = (C1,C2,C3,... ) such that

AU AR • for every n, Cn computes the characteristic function of A for inputs of length n, AF AX AG • there is a polynomial p and a constant d such that for all input lengths n, the size of Cn is bounded by p(n)

∅ and the depth of Cn is bounded by d, • each circuit Cn consists of unbounded fan-in AND and OR gates, negation gates, and gates that compute the Figure 1. The expressive power of CTL(T ). characteristic function of B (the oracle gates), • there is a linear-time Turing machine M that can check EX EF EG EU ER operators, and , , , , and are existential CTL- the structure of the circuit family, i.e., given a tu- ALL operators. Let denote the set of all CTL-operators. ple hn, g, t, hi where n, g, h are binary numbers and A U AF E U Note that [ψ χ] ≡ χ ∧ ¬ [¬χ (¬ψ ∧ ¬χ)], and thus t ∈ {AND, OR, NOT, ORACLE}, M accepts if C E R EG E U AX AF AR n [ψ χ] ≡ χ ∨ [χ (ψ ∧ χ)]. Hence { , , } is a contains a gate g of type t with predecessor h. minimal set of CTL-operators for CTL (in presence of all Boolean connectives), whereas {AX, AG, AU} is not com- Circuit families C with this last property are called logtime- plete for CTL [7]. uniform (the name stems from the fact that the time needed By CTL(T ) we denote the set of CTL-formulae using by M is linear in the length of its input tuple, hence logarith- the connectives {∧, ∨, ¬} and the CTL-operators in T only. mic in n). For background information we refer to [13, 18]. Figure 1 shows the structure of sets of CTL-operators with We easily obtain the following relations between model respect to their expressive power. Moreover, we deﬁne the checking for fragments of CTL with restricted negation: following fragments of CTL(T ): Lemma 2.1. For every set T of CTL-operators, we have • CTLpos(T ) (positive): CTL-operators may not occur CTLmon-MC(T ) ≤cd CTLa.n.-MC(T ) ≤cd CTLpos-MC(T ). in the scope of a negation, Further, for model checking, atomic negation can be eluded, i. e., CTL -MC(T ) ≤ CTL -MC(T ). • CTLa.n.(T ) (atomic negation): negation signs appear a.n. cd mon only directly in front of atomic propositions, In Sect. 3.3 we complete the picture by showing that also • CTLmon(T ) (monotone): no negation signs allowed. CTLpos-MC(T ) ≤cd CTLmon-MC(T ). The class P consists of all languages that have a This restricted use of negation was introduced and studied polynomial-time decision algorithm. A problem is P- in the context of linear temporal logic, LTL, by Sistla and complete if it is in P and every other problem in P reduces to Clarke [17] and Markey [9]. Their original notation was it. P-complete problems are sometimes referred to as inher- L(T ) for CTL (T ) and L+(T ) for CTL (T ). a.n. pos ently sequential, because P-complete problems most likely (formally: if P NC) do not possess NC-algorithms, that 2.2.e Model Checking 6= is, algorithms running in polylogarithmic time on a parallel computer with a polynomial number of processors. For- Now we deﬁne the model checking problems for the mally, NC contains all problems solvable by polynomial-size above mentioned fragments of CTL. Let L be CTL, CTL , mon polylogarithmic-depth logtime-uniform families of circuits CTL , or CTL . a.n. pos with bounded fan-in AND, OR, NOT gates. Problem: L-MC(T ) There is an NC-algorithm for parsing context-free lan- Input: A Kripke structure K = (W, R, η), guages, that is, CFL ⊆ NC. Therefore, complexity theo- a state w ∈ W , and an L(T )-formula ϕ. rists have studied the class LOGCFL of all problems re- Question: Does K, w |= ϕ hold? ducible to context-free languages (the name “LOGCFL”

3 refers to the original definition of the class in terms of expressible the model checking problem remains P-complete. logspace-reductions, however it is known that the class Otherwise, its complexity drops to LOGCFL. does not change if instead, as everywhere else in this paper, Theorem 3.2. Let T be any set of CTL-operators. Then ≤ -reductions are used). Hence, LOGCFL ⊆ NC (even cd CTL -MC(T ) is LOGCFL ⊆ NC2, the second level of the NC-hierarchy, pos where the depth of the occurring circuits is restricted to • NC1-complete if T = ∅, O(log2 n)). The class LOGCFL has a number of different • LOGCFL-complete if ∅= 6 T ⊆ {EX, EF} or ∅= 6 T ⊆ maybe even somewhat surprising characterizations, e. g., {AX, AG}, and languages in LOGCFL are those that can be decided by non- deterministic Turing machines operating in polynomial time • P-complete otherwise. that have a worktape of logarithmic size and additionally a We split the proofs of Theorems 3.1 and 3.2 into the upper stack whose size is not bounded. and lower bounds in the following two subsections. More important for this paper is the characterization of 1 LOGCFL as those problems computable by SAC circuit 3.1. Upper Bounds families, that is families of circuits that • have polynomial size and logarithmic depth, In general, model checking for CTL is known to be solvable in P [3]. While this upper bound also applies to • consist of unbounded fan-in OR gates and bounded fan- CTL -MC(T ) (for every T ), we improve it for positive in AND gates and negation gates, but the latter are only pos CTL-formulae using only EX and EF, or only AX and AG. allowed at the input-level, • are logtime-uniform (as defined above). Proposition 3.3. Let T be a set of CTL-operators such that T ⊆ {EX, EF} or T ⊆ {AX, AG}. Then CTLpos-MC(T ) is Since the class LOGCFL is known to be closed under com- in LOGCFL. plementation, the second condition can equivalently be re- Proof. EX EF placed to allow unbounded fan-in AND gates and restrict the First consider the case T ⊆ { , }. We claim fan-in of OR gates to be bounded. that Algorithm 1 recursively decides whether the Kripke To summarize: structure K = (W, R, η) satisfies the CTLpos(T )-formula 1 1 2 ϕ in state w0 ∈ W . There, S is a stack that stores pairs NC ⊆ L ⊆ NL ⊆ LOGCFL = SAC ⊆ NC ; ⋆ and problems in these classes possess very efficient paral- (ϕ, w) ∈ CTLpos(T ) × W and R denotes the transitive closure of R. lel algorithms: they can be solved in time O(log2 n) on a parallel machine with a tractable number of processors. For Algorithm 1 always terminates because each subformula more background on these and related complexity classes, of ϕ is pushed to the stack S at most once. For correct- we refer the reader to [18]. ness, an induction on the structure of formulae shows that Algorithm 1 returns false if and only if for the most recently popped pair (ψ, w) from S, we have K, w 6|= ψ. Thence, in 3. Model Checking CTL and CTLpos particular, Algorithm 1 returns true iff K, w |= ϕ. Algorithm 1 can be implemented on a nondeterminis- This section contains our main results on the complex- tic polynomial-time Turing machine that besides its (un- ity of model checking for CTL and CTLpos. We defer the bounded) stack uses only logarithmic memory for the local analysis of the fragments CTLa.n. and CTLmon to Sect. 3.3 variables. Thus CTLpos-MC(T ) is in LOGCFL. where we will see that their model-checking problems are The case T ⊆ {AX, AG} is analogous and follows from computationally equivalent to model checking for CTLpos. closure of LOGCFL under complementation. While model checking for CTL in general is known to be polynomial time solvable and in fact P-complete [3, 15], we Finally, for the trivial case where no CTL-operators are improve the lower bound by showing that only one temporal present, model checking CTL(∅)-formulae is equivalent to operator is sufficient to obtain hardness for P. the problem of evaluating a propositional formula. This problem is known to be solvable in NC1 [2]. Theorem 3.1. For each nonempty set T of CTL-operators, CTL-MC(T ) is P-complete. If T = ∅, then CTL-MC(T ) is 3.2. Lower Bounds NC1-complete. The P-hardness of model checking for CTL is folklore If we consider only formulae from CTL , where no pos in the model checking community (cf. [15]), but we could CTL-operators are allowed inside the scope of a negation, not find a formal proof.1 We improve this lower bound and the situation changes and the complexity of model checking exhibits a dichotomous behavior. As long as EG or AF are 1In [15], an informal proof sketch is given.

4 Algorithm 1 Determine whether K, w0 |= ϕ. where ψi(x) := AX(x) if M’s configurations after the ith step are universal, and ψ x EX x otherwise. No- Require: a Kripke structure K = (W, R, η), w0 ∈ W , i( ) := ( ) tice that the constructed CTL-formula does not contain any ϕ ∈ CTLpos(T ) propositional operator. Since p n and q n are polynomi- 1: push(S, (ϕ, w0)) ( ) ( ) 2: while S is not empty do als, the size of K and ϕ is polynomial in the size of (M, x). 3: (ϕ, w) ← pop(S) Moreover, K and ϕ can be constructed from M and x using 0 AX EX 4: if ϕ is a propositional formula then AC -circuits. Thus, A ≤cd CTLmon-MC({ , }) for all 5: if ϕ evaluates to false in w under η then A ∈ ALOGSPACE = P. AF EG 6: return false For T = { , } we take new atomic propositions 7: end if d0, . . . , dp(n) and modify the above reduction by defining 8: else if ϕ = α ∧ β then the formulas η and ψi as follows: 9: push(S, (β, w)) η(w) := {d | w = cj, 1 ≤ i ≤ q(n)} ∪ 10: push(S, (α, w)) j i {t | w is an accepting configuration} 11: else if ϕ = α ∨ β then 12: nondet. push(S, (α, w)) or push(S, (β, w)) AF(di+1 ∧ x), if M’s configurations in (1) EX 13: else if ϕ = α then ψi(x) :=  step i are universal, 14: nondet. choose w′ ∈ {w′ | (w, w′) ∈ R}  EG(Di+1 ∨ x), otherwise, 15: push(S, (α, w′))  16: EF else if ϕ = α then where Di = i6=j∈{0,...,p(n)} dj. ′ ′ ′ ⋆ 17: nondet. choose w ∈ {w | (w, w ) ∈ R } For the combinationsW of T being one of {AF, EF}, 18: push(S, (α, w′)) {AF, EX}, {AG, EG}, {AG, EX}, {AX, EF}, and {AX, EG}, 19: end if the P-hardness of CTLmon-MC(T ) is obtained using analo- 20: end while gous modifications to η and the ψi’s. 21: return true For the remaining combinations involving the until or the release operator, observe that w. r. t. the Kripke structure K as defined in (1), AF(d ∧ x) and EG(D ∨ x) are equivalent concentrate on the smallest fragments of monotone CTL— i i to A[d Ux] and E[d Ux], and R and U are duals. w. r. t. CTL-operators—with P-hard model checking. i−1 i−1 Proposition 3.4. Let T denote a set of CTL-operators. Then In the presence of arbitrary negation, universal operators are definable by existential operators and vice versa. Hence, CTLmon-MC(T ) is P-hard if T contains an existential and a universal CTL-operator. from Proposition 3.4 we obtain the following corollary. Proof. First, assume that T = {AX, EX}. We give a generic Corollary 3.5. The model checking problem CTL-MC(T ) reduction from alternating Turing machines working in log- is P-hard for each nonempty set T of CTL-operators. arithmic space. Let M be such a machine and let x be an input to M. We may assume w. l. o. g. that each transition of Returning to monotone CTL, in most cases even one M leads from an existential to a universal configuration and operator suffices to make model checking P-hard: vice versa. Further we may assume that each computation of Proposition 3.6. Let T denote a set of CTL-operators. Then M ends after the same number p(n) of steps, where p is a CTLmon-MC(T ) is P-hard if T contains at least one of the polynomial and n is the length of M’s input. operators EG, EU, ER, AF, AU, or AR. Let c1, . . . , cq(n) be an enumeration of all possible configurations of M on input x, starting with the initial configu- The proof of this proposition proceeds similarly as the ration c1 and polynomial q. We construct a Kripke structure proof of Proposition 3.4, but is technically more involved. j AX EX K := (W, R, η) by defining the set W := {ci | 1 ≤ i ≤ In essence, it shows that both and can be simulated q(n), 0 ≤ j ≤ p(n)} and the relation R ⊆ W × W as by using only EG. By Lemma 2.1, CTLmon-MC(T ) ≤cd CTLpos-MC(T ) j j+1 M reaches configuration ck from and hence the above results directly translate to model R := (ci , ck ) ci in one step, 0 ≤ j < p(n) checking for CTLpos: for any set T of temporal opera- ∪ {(cp(n), cp(n )) 1 ≤ i ≤ q(n)}. EX EF i i tors, CTLpos-MC(T ) is P-hard if T * { , } or if  AX AG The labelling functionη is defined as η(w) := {t} iff w is T * { , }. These results cannot be improved w. r. t. EX EF AX AG an accepting configuration, and η(w) = ∅ otherwise. Then T , as for T ⊆ { , } and T ⊆ { , } we obtain a it holds that LOGCFL upper bound for model checking from Proposi- tion 3.3. In the following proposition we prove the matching 0 M accepts x ⇐⇒ K, c1 |= ψ1 ψ2 ··· ψp(n)(t) ··· , LOGCFL lower bound. 5 Proposition 3.7. For every nonempty set T of CTL- ∨, and the CTL-operator EX. To construct ϕ we recursively operators, the model checking problem CTLmon-MC(T ) is define formulae (ϕi)0≤i≤ℓ by LOGCFL-hard. t, if i = ℓ, Proof. As explained in Sect. 2.3, LOGCFL can be character-  ϕi := EXϕi+1, if i is even (∨-layers), ized as the set of languages recognizable by logtime-uniform  1 EX i ϕ , if i is odd ( -layers). SAC circuits, i. e., circuits of logarithmic depth and poly- i=1,2 ( ∧ i+1) ∧ nomial size consisting of ∨-gates with unbounded fan-in V We define the reduction function f as the mapping (C, x) 7→ and ∧-gates with fan-in 2. For every single CTL-operator (K, v0, ϕ), where v0 is the node corresponding to the output O, we will show that CTLmon-MC(T ) is LOGCFL-hard for gate of C and ϕ := ϕ0. We stress that the size of ϕ is all T ⊇ {O} by giving a generic ≤cd-reduction f from the 1 polynomial, for the depth of C is logarithmic only. Clearly, word problem for SAC circuits to CTLmon-MC(T ). EX each minimal accepting subtree (cf. [14] or [18, Definition First, consider ∈ T . Let C be a logtime-uniform ′ 1 4.15]) of C on input x translates into a sub-structure K of SAC circuit of depth ℓ with n inputs and let x = ′ n K such that K , v0 |= ϕ where x1 . . . xn ∈ {0, 1} . Assume w. l. o. g. that C is layered ′ into alternating layers of ∧-gates and ∨-gates and that the 1. K includes v0, output gate of C is an ∨-gate. We number the layers bottom- 2. K′ includes one successor for every node correspond- up, that is, the layer containing (only) the output gate has ing to an ∨-gate, and level 0, whereas the input-gates and negations of the input- gates are situated in layer ℓ. Denote the graph of C by 3. K′ includes the two successors of every node corre- G := (V,E), where V := Vin ⊎ V∧ ⊎ V∨ is partitioned sponding to an ∧-gate. into the sets corresponding to the (possibly negated) input- As C(x) = 1 iff there exists a minimal accepting subtree gates, the ∧-gates, and the ∨-gates, respectively. G is acyclic of C on x, the LOGCFL-hardness of CTL -MC(T ) for and directed with paths leading from the input to the output mon EX ∈ T follows. gates. From (V,E), we construct a Kripke structure that Second, consider EF ∈ T . We have to extend our Kripke allows to distinguish the two predecessors of an ∧-gate from structure to contain information about the depth of the corre- each other. This will be required to model proof trees using sponding gate. We may assume w. l. o. g. that C is encoded CTL ({EX})-formulae. mon such that each gate contains an additional counter holding For i ∈ {1, 2}, let V i := {vi | v ∈ V }, V i := {vi | in in ∨ the distance to the output gate (which is equal to the number v ∈ V } and define V i := V i ∪ V i. Further define ∨ in,∨ in ∨ of the layer it is contained in, cf. [18]). We extend η to

′ i i include this distance i, 1 ≤ i ≤ ℓ into “depth-propositions” E := (v, u ) ∈ V∧ × V , | (u, v) ∈ E and u is the ith in ∨ di as in the proof of Proposition 3.4. Denote this modified 1 2 ′ ′ predecessor of v ∪ (v, v) | v ∈ Vin ∪ Vin ∪ Kripke structure by K . Further, we define (ϕi)0≤i≤ℓ as i i (v , u) ∈ Vin,∨ × V∧ | (u, v) ∈ E , dℓ ∧ t, if i = ℓ, i∈{[1,2} ϕ′ := EF(d ∧ ϕ′ ), if i is even, i  i+1 i+1  EF ′ where the ordering of the predecessors is implicitly given i=1,2 (di+1 ∧ i ∧ ϕi+1), if i is odd. in the encoding of C. We now define a Kripke structure V ′ ′ ′ 1 2  ′ ′ K := (V ,E , η) with states V := Vin,∨ ∪ Vin,∨ ∪ V∧, Redefining the reduction f as (C, x) 7→ (K , v0, ϕ0) yields ′ ′ relation E , and labelling function η : V → P({1, 2, t}), the LOGCFL-hardness of CTLmon-MC(T ) for EF ∈ T . Third, let AX ∈ T . Consider the reduction in case 1 for i CTL EX -formulae, and let f C, x K, v , ϕ be {i, t}, if v = vinj ∈ Vin and xj = 1, mon({ }) ( ) = ( 0 ) {i, t}, if v = v ∈ V i and x = 0, the output of the reduction function. It holds that C(x) = 1  inj in j  i iff K, v0 |= ϕ, and equivalently C(x) = 0 iff K, v0 |= ¬ϕ. {i}, if v = vinj ∈ V and xj = 0, η v  in Let ϕ′ be the formula obtained from ¬ϕ by multiplying the ( ) :=  i {i}, if v = vin ∈ V and xj = 1, ′  j in negation into the formula. Then ϕ is a CTLa.n.({AX})- {i}, if v ∈ V i,  ∨ formula. Since LOGCFL is closed under complement,  AX ∅, otherwise, it follows that CTLa.n.-MC({ }) is LOGCFL-hard. Us-  AX  ing Lemma 2.1, we obtain that CTLmon-MC({ }) is where i = 1, 2, j = 1, . . . , n and vin1 , . . . , vinn , LOGCFL-hard, too. AG vin1 ,..., vinn enumerate the input gates and their negations. An analogous argument can be used for the case ∈ T . The formula ϕ that is to be evaluated on K will consist of The remaining fragments are even P-complete by Proposi- atomic propositions 1, 2 and t, Boolean connectives ∧ and tion 3.6.

6 Using Lemma 2.1 we obtain LOGCFL-hardness of for a Kripke structure K, a path x = (x1, x2,...), and a CTLpos-MC(T ) for all nonempty sets T of CTL-operators. path formula χ

In the absence of CTL-operators, the lower bound for ∞ the model checking problem again follows from the lower K, x |= Fχ iff K, xi |= Fχ for all i ∈ N. bound for evaluating monotone propositional formulae. This ∞ problem is known to be hard for NC1 [2, 16]. The dual operator G is deﬁned analogously. As for CTL, model checking for ECTL is known to be tractable. More- 3.3. The Power of Negation over, our next result shows that even for all fragments, model checking for ECTL is not harder than for CTL. We will now show that model checking for the fragments Theorem 4.1. Let T be a set of temporal opera- CTL and CTL is computationally equivalent to model ′ a.n. pos tors. Then ECTL-MC(T ) ≡cd CTL-MC(T ) and checking for CTL , for any set T of CTL-operators. Since ′ ′ mon ECTLpos-MC(T ) ≡cd CTLpos-MC(T ), where T is ob- ∞ ∞ we consider cd-reductions, this is not immediate. tained from T by substituting F, G with F, G. From Lemma 2.1 it follows that the hardness re- + sults for CTLmon-MC(T ) also hold for CTLa.n.-MC(T ) Another extension of CTL is CTL where Boolean com- and CTLpos-MC(T ). Moreover, the algorithms for binations of pure temporal operators are allowed in the scope CTLpos-MC(T ) also work for CTLmon-MC(T ) and of path quantiﬁers. In contrast to CTL, model checking for + p CTLa.n.-MC(T ) without using more computation resources. CTL is not tractable, but ∆2-complete [8]. Below we clas- Both observations together yield the same completeness re- sify the complexity of model checking for both full and sults for all CTL-fragments with restricted negations. positive fragments of CTL+.

Theorem 3.8. Let T be any set of CTL-operators. Then Theorem 4.2. Let T be a set of temporal operators. Then + CTLmon-MC(T ), CTLa.n.-MC(T ), and CTLpos-MC(T ) are CTL -MC(T ) is 1 • NC1-complete if T is empty, • NC -complete if T ⊆ {A, E} or T = {X}, X A E X • LOGCFL-complete if ∅= 6 T ⊆ {EX, EF} or ∅= 6 T ⊆ • P-complete if { } ( T ⊆ { , , }, and AX AG p { , }, • ∆2-complete otherwise. • P-complete otherwise. Theorem 4.3. Let T be a set of temporal operators. Then + As all complete sets for a class are equivalent, we ob- CTLpos-MC(T ) is tain reductions between the model checking problems for • NC1-complete if T ⊆ {A, E} or T = {X}, all negation-restricted fragments of CTL. This extends Lemma 2.1. • LOGCFL-complete if T = {A, X} or T = {E, X}, • P-complete if T = {A, E, X}, Corollary 3.9. For every set T of CTL-operators, the prob- • NP-complete if E ∈ T , A 6∈ T , and T contains a pure lems CTLmon-MC(T ), CTLa.n.-MC(T ), and CTLpos-MC(T ) are equivalent w.r.t. cd-reducibility. temporal operator aside from X, • coNP-complete if A ∈ T , E 6∈ T , and T contains a We remark that this equivalence is not straightforward. pure temporal operator aside from X, and Simply applying de Morgan’s laws to transform one prob- p lem into another requires counting the number of negations • ∆2-complete otherwise. on top of ∧- and ∨-connectives. This counting cannot be + + 0 Finally, ECTL is the combination of ECTL and CTL . achieved by an AC -circuit and does not lead to the aspired For its model checking problem we obtain: reduction. Here we obtain equivalence of the problems as a consequence of our generic hardness proofs in Sect. 3.2. Corollary 4.4. Let T be a set of temporal opera- + + ′ tors. Then ECTL -MC(T ) ≡cd CTL -MC(T ) and + + ′ ECTLpos-MC(T ) ≡cd CTLpos-MC(T ), where T is ob- 4. Model Checking Extensions of CTL ∞ ∞ tained from T by substituting F, G with F, G. What CTL lacks in practice is the ability to express fair- ness properties. To address this shortcoming, Emerson and 5. Conclusion Halpern introduced ECTL in [5]. ECTL extends CTL with ∞ the F-operator, which states that for every moment in the fu- We have shown (Theorem 3.2) that model checking for ture, the enclosed formula will eventually be satisﬁed again: CTLpos(T ) is already P-complete for most fragments of

7 EX, EF References

LOGCFL-c. [1] M. Bauland, M. Mundhenk, T. Schneider, H. Schnoor, EX, EF AX, AG, O I. Schnoor, and H. Vollmer. The tractability of model check- O ing for LTL: the good, the bad, and the ugly fragments. In NC1-c. P-c. ALL Proc. Methods for Modalities 5, pages 125–140. ENS Cachan, 2007. Also at CoRR http://arxiv.org/abs/0805.0498. AX, AG EX, EF, O [2] S. R. Buss. The Boolean formula value problem is in ALOG- LOGCFL-c. TIME. In Proc. 19th Symposium on Theory of Computing, pages 123–131. ACM Press, 1987. AX, AG [3] E. Clarke, E. A. Emerson, and A. Sistla. Automatic ver- O = AF, AU, AR, EG, EU, ER ification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263, 1986. Figure 2. The complexity of CTLpos-MC(T ) for [4] E. A. Emerson and E. M. Clarke. Using branching time tem- all sets T of CTL-operators (depicted as a “fi- poral logic to synthesize synchronization skeletons. Science nite automaton” where states indicate com- of Computer Programming, 2(3):241–266, 1982. pleteness results and arrows indicate an in- [5] E. A. Emerson and J. Y. Halpern. “Sometimes” and “not crease of the set of CTL-operators). never” revisited: on branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, 1986. [6] E. A. Emerson and C.-L. Lei. Modalities for model checking: Branching time logic strikes back. Science of Computer CTL. Only for some weak fragments, model checking be- Programming, 8(3):275–306, 1987. comes easier: if T ⊆ {EX, EF} or T ⊆ {AX, AG}, then [7] F. Laroussinie. About the expressive power of CTL com- binators. Information Processing Letters, 54(6):343–345, CTLpos-MC(T ) is LOGCFL-complete. In the case that no 1 1995. CTL-operators are used, NC -completeness of evaluating [8] F. Laroussinie, N. Markey, and P. Schnoebelen. Model Check- propositional formulae applies. As a direct consequence ing CTL+ and FCTL is Hard. In Proc. Foundations of Soft- (Theorem 3.1), model checking for CTL(T ) is P-complete ware Science and Computation Structure (FOSSACS’2001), for every nonempty T . This shows that for the majority of pages 318–331. Springer, 2001. interesting fragments, model checking CTL(T ) is inherently [9] N. Markey. Past is for free: on the complexity of verifying sequential and cannot be sped up by using parallelism. linear temporal properties with past. Acta Informatica, 40(6- While all the results above can be transferred to ECTL 7):431–458, 2004. + + [10] A. Meier, M. Mundhenk, M. Thomas, and H. Vollmer. The (Theorem 4.1), CTL and ECTL exhibit different proper- ⋆ complexity of satisfiability for fragments of CTL and CTL . ties. For both logics, the general model checking problem p In Proc. 2nd Workshop on Reachability Problems in Compu- was shown to be complete for ∆2 in [8]. Here we proved tational Models (RP 2008), pages 201–213, 2008. + + that model checking fragments of CTL (T ) and ECTL (T ) [11] C. H. Papadimitriou. Computational Complexity. Addison- for T ⊆ {A, E, X} remains tractable, while the existential Wesley, Reading, MA, 1994. + + and the universal fragments of CTLpos(T ) and ECTLpos(T ) [12] A. Pnueli. The temporal logic of programs. In Proc. 18th containing temporal operators other than X are complete for Symposium on Foundations of Computer Science, pages 46– NP and coNP, respectively. 57. IEEE Computer Society Press, 1977. [13] K. Regan and H. Vollmer. Gap-languages and log-time com- Instead of restricting only the use of negation as done plexity classes. Theoretical Computer Science, 188:101–116, in this paper, one might go one step further and restrict 1997. the allowed Boolean connectives in an arbitrary way. One [14] W. L. Ruzzo. Tree-size bounded alternation. Journal of might, e. g., allow the exclusive-OR as the only proposi- Computer and System Sciences, 21:218–235, 1980. tional connective. This has been done for the case of lin- [15] P. Schnoebelen. The complexity of temporal logic model ear temporal logic LTL in [1], where the complexity of checking. In Advances in Modal Logic, pages 393–436, 2002. LTL-MC(T,B) for an arbitrary set T of temporal operators [16] H. Schnoor. The complexity of the Boolean formula value and B of propositional connectives was studied. We think problem. Technical report, Theoretical Computer Science, that a corresponding study for CTL (or CTL⋆) is an interest- University of Hannover, 2005. [17] A. Sistla and E. Clarke. The complexity of propositional ing topic for further research. For example, restricting the linear temporal logics. Journal of the ACM, 32(3):733–749, Boolean connectives to only one of the functions AND or 1985. OR leads to many NL-complete fragments, but a full classi- [18] H. Vollmer. Introduction to Circuit Complexity – A Uniform fication is still open. The computational complexity of the Approach. Texts in Theoretical Computer Science. Springer corresponding satisfiability problems CTL-SAT(T,B) and Verlag, Berlin Heidelberg, 1999. CTL⋆-SAT(T,B) has been completely determined in [10].